Please beta test

[steviez]

Hi,

 

I was wondering if i could get some people to beta test my new site, its located at www.myportabledisk.com

 

Please tell me if there are any faults or if you think there should be any changes

 

Thanks

[lightningstrike]

Looks pretty good to me.

 

Other then the fact that your download wait time is pretty much uneffective as it just includes the download link in the a javascript variable escaped. Allowing any user to unescape the link and get the value inside.

 

Perhaps a more effective approach would be a session variable with the current time assigned to the user. Then a javascript timer using AJAX could call the download link, and check the session variable against the current time.

 

Also users seem to be able to directly link to files, which may or may not be intended.

[Daniel0]

Instead of using <img> tags as bullets, you might want to actually use an unordered list (<ul>) and then change the bullet using CSS. The places I'm talking about is places like the login form and the box saying stuff like "Share files with all of your friends and upload them only once".

 

Also, it's called "sponsor", not "sponser".

 

How can the server load suddenly go from "low" to "high" and then to "low" again. (after each page refresh).

 

When the page has been uploaded: The delete image (http://www.myportabledisk.com/images/ico_delete.gif) needs background transparency or a background similar to the container.

 

On the front page: The "help" icon (http://www.myportabledisk.com/images/question.gif) has the same issues as the above image.

[MemphiS]

SQL injection on register...

 

Warning: fopen(/home/portable/public_html/.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/portable/public_html/signup.php

 

Warning: fwrite(): supplied argument is not a valid stream resource in /home/portable/public_html/signup.php on line 171

 

Warning: fclose(): supplied argument is not a valid stream resource in /home/portable/public_html/signup.php on line 172

 

[MemphiS]

Register doesnt check the email for an @

[MemphiS]

Your able to Delete any file i havent checked if i can delete some of your actual site scripts but you should check that the user that uploaded the script is the only one allowed to delete that file. Simply use a IP check or something

[steviez]

Your able to Delete any file i havent checked if i can delete some of your actual site scripts but you should check that the user that uploaded the script is the only one allowed to delete that file. Simply use a IP check or something

 

How do i do that when peoples IP addresses change all the time?

[MemphiS]

Well its better for a few to miss out on deleting there file instead of leaving it wide open.

 

Or you could make the Delete option only avaiable to registered users...

 

Also You admin area needs some secruity im currently logged in as admin  its vunerable to sql injection

 

block /includes/ and /admin/ through .htaccess

[Daniel0]

Instead of doing an IP check (regarding file deletion), make users able to specify a file password. They could then attach the file to their account if they later chose to register and they would need the password in order to delete the file if they are unregistered.

[steviez]

Well its better for a few to miss out on deleting there file instead of leaving it wide open.

 

Or you could make the Delete option only avaiable to registered users...

 

Also You admin area needs some secruity im currently logged in as admin  its vunerable to sql injection

 

block /includes/ and /admin/ through .htaccess

 

Has that worked? i have blocked access using this:

 

<Files ~ "^/admin/">

Order allow,deny

Deny from all

</Files>

[steviez]

Your able to Delete any file i havent checked if i can delete some of your actual site scripts but you should check that the user that uploaded the script is the only one allowed to delete that file. Simply use a IP check or something

 

How? it looks for a specific file and deletes from a folder under the site root

 

Thanks

[MemphiS]

your /admin/ is still showing

 

 

[steviez]

your /admin/ is still showing

 

 

 

Whats the best way to stop it?

[MemphiS]

<Files ~ "^/admin/">

Order allow,deny

Deny from all

</Files>

 

You would be denying yourself using that..also it in incorrect format and you forgot the allow.

 

create a .htaccess in the /admin/ directory and place the following

 

<files *>

order allow, deny

allow from 124.0.0

 

deny from *

</files>

 

Change the first 124.0.0 to your IP this will allow access to you and deny everyone else

 

[MemphiS]

Your "members" area doesnt check for a valid $_SESSION that is alive.

 

i deleted my account then pressed back and now have a non existant account

 

MyPortableDisk.com members profile for ""

 

Account Type: Free, Account No: ()

Files Uploaded: 6 Files

Disk Space Used 1.5803 MB

[MemphiS]

What on earth does this mean in english

 

Zadejte prosim Vasi adresu elektronicke posty

[steviez]

Your "members" area doesnt check for a valid $_SESSION that is alive.

 

i deleted my account then pressed back and now have a non existant account

 

MyPortableDisk.com members profile for ""

 

Account Type: Free, Account No: ()

Files Uploaded: 6 Files

Disk Space Used 1.5803 MB

 

This i know about, although i can not seem to fix it

[MemphiS]

If your using a session simple do this...and place at the top

 

<?php

session_start();
// sql connnectione etc here...
$member = $_SESSION['member'];
if (empty($member)){
header("Location: ./index.php");
}

?>

[steviez]

What on earth does this mean in english

 

Zadejte prosim Vasi adresu elektronicke posty

 

where did this come from?

[MemphiS]

When i tried updating my profile without an email.. i found half of your /js/ functions have that other language used in it...

[steviez]

When i tried updating my profile without an email.. i found half of your /js/ functions have that other language used in it...

 

Well i never designed the site you see so its what the old owner had in place

[MikeDXUNL]

i signed up as

 

../signup.php

 

 

 

and when i go the my members folder:  http://www.myportabledisk.com/folders/../signup.php

it redirects you to  http://www.myportabledisk.com/signup.php

 

 

on registration use a AlphaNumeric check or something of the sort

_____________________________

EDIT:

 

I also signed up as <marquee>pwned

 

eliminated by strip_tags()

[steviez]

i signed up as

 

../signup.php

 

 

 

and when i go the my members folder:  http://www.myportabledisk.com/folders/../signup.php

it redirects you to  http://www.myportabledisk.com/signup.php

 

 

on registration use a AlphaNumeric check or something of the sort

_____________________________

EDIT:

 

I also signed up as <marquee>pwned

 

eliminated by strip_tags()

 

How do i stop this been done?

[MikeDXUNL]

like i said .. on registration do something like

 

if(!ctype_alnum($username)) {
	echo "Username is Invalid!";
         } else {
// continue registration
}

 

meaning if the posted username is no numeric or alphabetic, it's invalid...

otherwise continue the rest of the registration code.

[pcman]

i check youre system and...

i upload a file and youre system is not protecten from XSS files

i can to upload XSS files.

 

im very sory about my english i am israeli=S...